Home/ Questions/Q 7506683
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T22:19:54+00:00

i use spring security to organize the security and user management in my GWT

  • 0

i use spring security to organize the security and user management in my GWT application. If i login as “admin”, logout, and login as another user the “SecurityContextHolder.getContext()” still returns me the “admin” authentication though i use the standard spring security logout URL (/j_spring_security_logout) and after logout have to login again to access the page… somebody has a hint? I’m at the end of my knowledge =/

filters in my web.xml:

   <filter>
      <filter-name>springSecurityFilterChain</filter-name>
      <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
   </filter>
   <filter-mapping>
     <filter-name>springSecurityFilterChain</filter-name>
     <url-pattern>/*</url-pattern>
   </filter-mapping>
   <listener>
      <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
   </listener>

applicationcontext.xml:

<bean class="service.security.DefaultPermissionEvaluator" id="permissionEvaluator"/>
<bean class="org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler" id="expressionHandler">
    <property name="permissionEvaluator" ref="permissionEvaluator"/>
</bean>
<sec:global-method-security pre-post-annotations="enabled">
  <sec:expression-handler ref="expressionHandler"/>
</sec:global-method-security> 
<bean class="service.security.DefaultAuthenticationProvider" id="authenticationProvider"/>
<bean class="service.security.DefaultUserDetailsManager" id="userDetailsManager"/>
<bean class="service.security.DefaultAuthenticationListener" id="customAuthListener"/>
<sec:authentication-manager>
  <sec:authentication-provider ref="authenticationProvider">
  </sec:authentication-provider>
</sec:authentication-manager>     
<sec:http auto-config="true" use-expressions="true">
  <sec:form-login default-target-url="/Index.html" always-use-default-target="true"/>
  <sec:logout invalidate-session="true" logout-success-url="/" logout-url="/j_spring_security_logout"/>
  <sec:intercept-url pattern="/service/admin/**" access="hasRole('ADMIN')"/>
  <sec:intercept-url pattern="/**" access="hasRole('USER')"/>
</sec:http>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problem was i did this:

    class ServiceExample extends HttpServlet {
    private final Authentication auth;
    public ServiceExample() {
        this.auth = SecurityContextHolder.getContext().getAuthentication()
    }

    public User getCurrentUser() {
        return (User) this.auth.getPrincipal();
    }
}

    instead of:

    class ServiceExample extends HttpServlet {
    public ServiceExample() {
    }

    public User getCurrentUser() {
        return (User) SecurityContextHolder.getContext().getAuthentication().getPrincipal();
    }
}

    Which makes the SecurityContext initialize once when somebody logs in (Jetty behavior) and not changing when somebody else logs in cause of jetty using the same instance…

    • 0